This is an automated email from the ASF dual-hosted git repository. markusthoemmes pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push: new 2b3f586 Add User-Agent to list of allowed CORS headers. (#4010) 2b3f586 is described below commit 2b3f586193ffcc081eb8df19219c80f48d2fa6e9 Author: Nick Mitchell <star...@users.noreply.github.com> AuthorDate: Tue Sep 18 13:18:27 2018 -0400 Add User-Agent to list of allowed CORS headers. (#4010) Fixes #4009 --- .../controller/src/main/scala/whisk/core/controller/RestAPIs.scala | 7 +++++-- .../src/main/scala/whisk/core/controller/WebActions.scala | 2 +- docs/rest_api.md | 2 +- docs/webactions.md | 2 +- tests/src/test/scala/services/HeadersTests.scala | 2 +- tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala | 2 +- .../test/scala/whisk/core/controller/test/WebActionsApiTests.scala | 2 +- 7 files changed, 11 insertions(+), 8 deletions(-) diff --git a/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala b/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala index 3f69c83..5199889 100644 --- a/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala +++ b/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala @@ -19,6 +19,7 @@ package whisk.core.controller import akka.actor.ActorSystem import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._ +import akka.http.scaladsl.model.HttpMethods.{DELETE, GET, HEAD, POST, PUT} import akka.http.scaladsl.model.StatusCodes._ import akka.http.scaladsl.model.Uri import akka.http.scaladsl.model.headers._ @@ -150,8 +151,10 @@ protected[controller] object RestApiCommons { */ protected[controller] trait RespondWithHeaders extends Directives { val allowOrigin = `Access-Control-Allow-Origin`.* - val allowHeaders = `Access-Control-Allow-Headers`("Authorization", "Content-Type") - val sendCorsHeaders = respondWithHeaders(allowOrigin, allowHeaders) + val allowHeaders = `Access-Control-Allow-Headers`("*") + val allowMethods = + `Access-Control-Allow-Methods`(GET, DELETE, POST, PUT, HEAD) + val sendCorsHeaders = respondWithHeaders(allowOrigin, allowHeaders, allowMethods) } case class WhiskInformation(buildNo: String, date: String) diff --git a/core/controller/src/main/scala/whisk/core/controller/WebActions.scala b/core/controller/src/main/scala/whisk/core/controller/WebActions.scala index 6f52657..e03bdc8 100644 --- a/core/controller/src/main/scala/whisk/core/controller/WebActions.scala +++ b/core/controller/src/main/scala/whisk/core/controller/WebActions.scala @@ -383,7 +383,7 @@ trait WhiskWebActionsApi extends Directives with ValidateRequestSize with PostAc List(`Access-Control-Allow-Origin`.*, `Access-Control-Allow-Methods`(OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH)) private val defaultCorsWithAllowHeader = { - defaultCorsBaseResponse :+ `Access-Control-Allow-Headers`(`Authorization`.name, `Content-Type`.name) + defaultCorsBaseResponse :+ `Access-Control-Allow-Headers`("*") } private def defaultCorsResponse(headers: Seq[HttpHeader]): List[HttpHeader] = { diff --git a/docs/rest_api.md b/docs/rest_api.md index b6c04a2..28932be 100644 --- a/docs/rest_api.md +++ b/docs/rest_api.md @@ -82,7 +82,7 @@ curl -u USERNAME:PASSWORD https://openwhisk.ng.bluemix.net/api/v1/namespaces/whi In this example the authentication was passed using the `-u` flag, you can pass this value also as part of the URL as `https://$AUTH@{APIHOST}` -The OpenWhisk API supports request-response calls from web clients. OpenWhisk responds to `OPTIONS` requests with Cross-Origin Resource Sharing headers. Currently, all origins are allowed (that is, Access-Control-Allow-Origin is "`*`") and Access-Control-Allow-Headers yield Authorization and Content-Type. +The OpenWhisk API supports request-response calls from web clients. OpenWhisk responds to `OPTIONS` requests with Cross-Origin Resource Sharing headers. Currently, all origins are allowed (that is, Access-Control-Allow-Origin is "`*`"), the standard set of methods are allowed (that is, Access-Control-Allow-Methods is "`GET, DELETE, POST, PUT, HEAD`"), and Access-Control-Allow-Headers yields "`*`". **Attention:** Because OpenWhisk currently supports only one key per namespace, it is not recommended to use CORS beyond simple experiments. Use [Web Actions](webactions.md) or [API Gateway](apigateway.md) to expose your actions to the public and not use the OpenWhisk authorization key for client applications that require CORS. diff --git a/docs/webactions.md b/docs/webactions.md index 3e98fe0..547fcba 100644 --- a/docs/webactions.md +++ b/docs/webactions.md @@ -450,7 +450,7 @@ if it is present in the HTTP request. Otherwise, a default value is generated as ``` Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH -Access-Control-Allow-Headers: Authorization, Content-Type +Access-Control-Allow-Headers: * ``` Alternatively, OPTIONS requests can be handled manually by a web action. To enable this option add a diff --git a/tests/src/test/scala/services/HeadersTests.scala b/tests/src/test/scala/services/HeadersTests.scala index 42c51c3..c0485de 100644 --- a/tests/src/test/scala/services/HeadersTests.scala +++ b/tests/src/test/scala/services/HeadersTests.scala @@ -64,7 +64,7 @@ class HeadersTests extends FlatSpec with Matchers with ScalaFutures with WskActo val creds = BasicHttpCredentials(whiskAuth.fst, whiskAuth.snd) val allMethods = Some(Set(DELETE.name, GET.name, POST.name, PUT.name)) val allowOrigin = `Access-Control-Allow-Origin`.* - val allowHeaders = `Access-Control-Allow-Headers`("Authorization", "Content-Type") + val allowHeaders = `Access-Control-Allow-Headers`("*") val url = Uri(s"$controllerProtocol://${WhiskProperties.getBaseControllerAddress()}") def request(method: HttpMethod, uri: Uri, headers: Option[Seq[HttpHeader]] = None): Future[HttpResponse] = { diff --git a/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala b/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala index 61f374b..700f87e 100644 --- a/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala +++ b/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala @@ -204,7 +204,7 @@ class WskWebActionsTests extends TestHelpers with WskTestHelpers with RestUtil w response.statusCode shouldBe 200 response.header("Access-Control-Allow-Origin") shouldBe "*" response.header("Access-Control-Allow-Methods") shouldBe "OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH" - response.header("Access-Control-Allow-Headers") shouldBe "Authorization, Content-Type" + response.header("Access-Control-Allow-Headers") shouldBe "*" response.header("Location") shouldBe null response.header("Set-Cookie") shouldBe null } diff --git a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala index ba9e2cc..deee6fe 100644 --- a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala +++ b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala @@ -1502,7 +1502,7 @@ trait WebActionsApiBaseTests extends ControllerTestCommon with BeforeAndAfterEac if (testHeader.name == `Access-Control-Request-Headers`.name) { header("Access-Control-Allow-Headers").get.toString shouldBe "Access-Control-Allow-Headers: x-custom-header" } else { - header("Access-Control-Allow-Headers").get.toString shouldBe "Access-Control-Allow-Headers: Authorization, Content-Type" + header("Access-Control-Allow-Headers").get.toString shouldBe "Access-Control-Allow-Headers: *" } } }